When GDPR went into effect one year ago, it was clear companies were not ready and reports show that many companies still aren’t GDPR compliant, and half of companies self-reported missing the May 25th 2018 GDPR deadline — most having taken seven months or longer to reach compliance.

Companies and consumers alike have become more sensitive to how data is collected, processed and stored, and the regulations show no sign of slowing down. Recent data breaches that have occurred over the last 12 months means more personal information is on the dark web and available for purchase — and consumers care more about privacy as a result. These breaches have helped fuel account takeovers, which tripled in 2017, and they are still an emerging threat. While the attention is currently on GDPR, there is an upcoming regulation as the US follows in the footsteps of the EU — the California Consumer Privacy Act (CCPA).

When the CCPA goes into effect New Year’s Day 2020, it’s expected to be the strictest data privacy law in the US and will set the tone for other states looking to protect consumer privacy. It’s not just a California initiative — this regulation impacts any company that collects personally identifiable (PII) data online from California consumers. The CCPA is the first step toward the US adopting GDPR-like measures with wide-reaching impact.

The California Consumer Privacy Act was created to protect the privacy and data of consumers. The CCPA is intended to give Californians the who, what, where and when of how businesses handle consumers’ personal information. After January first, the CCPA affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

Among other protections, the law stipulates that consumers have the right to request the deletion of personal information in a “readily usable format” that enables its transfer to third parties without complication. A key area where there is significant confusion is how to verify the requests companies will receive.

This means for-profit companies around the world have to comply with CCPA if they receive personal data from California residents and if they — or their parent company or subsidiary — exceed one of three annual thresholds: the company has gross revenues of $25 million; the company receives, sells or shares information of 50,000 or more California residents or devices; or the company derives 50 percent or more of its revenue from selling consumers’ personal information.

The CCPA, combined with GDPR, pose significant challenges and companies need to be preparing now in hopes of meeting the Jan. 1, 2020 deadline. When preparing for the CCPA, companies will need to implement the following procedures in order to meet the requirements:

Right to Access: Organizations subject to the CCPA must honor consumer requests regarding the right to access their personal information.
Right to Delete: Organizations subject to the CCPA have an obligation to honor consumer requests regarding the right to delete their personal information.
Right to Opt Out: Organizations subject to the CCPA need to provide a clear and conspicuous link entitled “Do Not Sell My Personal Information” on their website and in their privacy policy by Jan. 1, 2020.
Children’s Information: Organizations subject to the CCPA can’t willingly disregard the consumer’s age in order to proclaim they did not have the knowledge of dealing with a child’s information.
Privacy Policy: Organizations subject to the CCPA are required to disclose the categories of consumers’ personal information collected and the purpose regarding their collection and later usage. In addition, organizations that sell personal information are required to notify such consumers about the probability of their information being sold and their right to opt out.
Process for Consumer Authentication: While data privacy is at the heart of CCPA, companies need to ensure that they’re only releasing data to the actual account owner, and not a fraudster posing as a legitimate user.
According to a survey conducted by Compliance Week, 45% of compliance professionals surveyed said they are “working on a preliminary plan,” while another 26% said they have not started at all. Only 15% said their plan is “well underway,” and 13% said that while they have a plan in place, nothing has started. Failure to address an alleged violation within 30 days could be detrimental to a company. It could lead to a $7,500 fine per violation, which could be per record or customer file.

Companies are taking a big risk by not having a plan underway or in development. Based on incident response time under GDPR over the past 12 months, companies may have trouble locating, collecting and deleting consumer data across their infrastructures.

Furthermore, as companies explore how to achieve compliance with the CCPA throughout the remainder of 2019, it will be important for companies to be prepared as consumer requests come through.

Companies must be ready to equip customers with a complete list of personal data collected, understand how that data was collected and stored, manage consumer requests for deletion of personal data and have a process in place to easily delete personal data — if requested. If companies use a third party, this means knowing where the data exists within the vendor as those vendors will also need to be ready to comply with the CCPA.

In addition, companies must also implement a policy against re-selling consumer data without prior acknowledgment, must store PII data securely and have a predetermined data retention policy in place to assure the timely deletion of data, and have the ability to manually override retention policies and have consumer data deleted upon written request.

Companies of all types are still grappling with the nuances of GDPR compliance and the regulations are far from over. Data breaches continue to occur on a consistent basis and consumers are now more aware — and sensitive — to how their data is collected, used and monetized, and the power is shifting back into consumers’ hands.

While GDPR laid the foundation, stricter laws are on the horizon with the CCPA and the anniversary of GDPR is a good reminder that there is a long way to go. January 1st will be here before we know it and preparation must begin now in order to be ready.

Search

Loading, Please Wait!

GDPR Associates - Our cookie policy

This web site complies with the UK Privacy and Electronic Communications Regulations and the UK DPA 2018 in its understanding of consent as it applies to the regulations. We only deploy by default essential cookies, we list and give you the user the option to opt into cookie deployment for other categories of cookies if you expand the 'Cookie settings' link. By clicking the 'Accept cookie settings' button you agree to the default privacy settings of only essential cookies, if you select do not deploy any cookies then none will be deployed. Your settings and options can only be remembered with the minimum essential cookies deployed.

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Analytics'.

cookielawinfo-checkbox-marketing

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Marketing'.

cookielawinfo-checkbox-necessary

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.

cookielawinfo-checkbox-performance

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Performance'.

cookielawinfo-checkbox-preferences

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.

JSESSIONID

Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.

PHPSESSID

This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

viewed_cookie_policy

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.

lidc

This cookie is set by LinkedIn and used for routing.

NID

This cookie is used to a profile based on user's interest and display personalized ads to the users.

VISITOR_INFO1_LIVE

This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location

pardot

The cookie is set when the visitor is logged in as a Pardot user.

_ga

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.

_gat

This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

_gid

This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

__cfduid

The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Windows Azure Web Sites, by default, use an ARRAffinity cookie to ensure subsequent requests from a user are routed back to the web site instance that the user initially connected to. In other words, Windows Azure Web Sites assumes that a web site is not stateless

OptanonConsent

This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.

YSC

This cookies is set by Youtube and is used to track the views of embedded videos.